arXiv:1506.02152vl [cs.IT] 6Jun2015 


Nested Lattice Codes for Secure Bidirectional 
Relaying with Asymmetric Channel Gains 

Shashank Vatedka and Navin Kashyap 
Dept, of Electrical Communication Engineering 
Indian Institute of Science, Bangalore, India 
Email: {shashank,nkashyap}@ece.iisc.ernet.in 


Abstract —The basic problem of secure bidirectional relaying 
involves two users who want to exchange messages via an 
intermediate ”honest-but-curious” relay node. There is no direct 
link between the users; all communication must take place via 
the relay node. The links between the user nodes and the relay 
are wireless links with Gaussian noise. It is required that the 
users’ messages be kept secure from the relay. In prior work, 
we proposed coding schemes based on nested lattices for this 
problem, assuming that the channel gains from the two user 
nodes to the relay are identical. We also analyzed the power- 
rate tradeoff for secure and reliable message exchange using our 
coding schemes. In this paper, we extend our prior work to the 
case when the channel gains are not necessarily identical, and are 
known to the relay node but perhaps not to the users. We show 
that using our scheme, perfect secrecy can be obtained only for 
certain values of the channel gains, and analyze the power-rate 
tradeoff in these cases. We also make similar observations for 
our strongly-secure scheme. 

I. Introduction 

Lattice codes for Gaussian channels have received a lot of 
attention in the recent past. They have been shown to achieve 
the capacity of the power-constrained AWGN channel [2], and 
have been used with great success for physical layer network 
coding for Gaussian networks [8]. They have also been used to 
design coding schemes for secure and reliable communication 
over the Gaussian wiretap channel [6] and the bidirectional 
relay [4], [9]. In this paper, we study secure bidirectional 
relaying, where two users A and B want to exchange messages 
via an “honest-but-curious” relay R. The relay acts as a passive 
eavesdropper, but otherwise conforms to the protocol which it 
is asked to follow, i.e., it does not modify or tamper with 
the message it has to forward. We also assume that there is 
no direct link between the user nodes, and all communication 
between A and B must happen via R. 

We use the two-phase compute-and-forward protocol [7] for 
bidirectional relaying, which we briefly describe here. Let q be 
a prime number and m be a positive integer. User nodes A and 
B have messages X and Y respectively, which are assumed to 
be uniformly distributed over F™, where denotes the finite 
field with q elements. Let 0 denote the addition operation in 
F™. In the first phase, also called the multiple access channel 
(MAC) phase, the messages are mapped to n-dimensional 
real-valued codewords U and V respectively, and transmitted 
simultaneously to R, who receives 

( 1 ) 


Here hi , /12 G R, and Z is additive white Gaussian noise 
(AWGN) with variance cr^. The relay computes an integer- 
linear combination of the messages, kiX(Bk 2 Y, and forwards 
this to the user nodes in an ensuing broadcast phase. If q 
does not divide k 2 (resp. fci), then A (resp. B) can recover Y 
(resp. X). In this paper, we will be concerned only with the 
MAC phase, i.e., we only want to ensure that the relay can 
compute the integer-linear combination k^X 0 k 2 Y. In fact, 
by restricting ourselves to the MAC phase, we can consider 
the more general problem where the messages X and Y are 
uniformly distributed over a finite Abelian group G, with 0 
denoting addition in G, and the relay must be able to compute 
an integer-linear combination kiX (B ^ 2 ^. Here, we use the 
notation kiX to denote the sum of X with itself fci — 1 
times, i.e., 2X = X (B X, iX = X (B X ® X, and so on. 
Likewise, k 2 Y denotes the sum of Y with itself /c 2 — 1 times. 
All our results will hold for this general case where R wants to 
compute kiX®k 2 Y, where X and Y are uniformly distributed 
over a finite Abelian group G. 

We impose the additional constraint that R must not get any 
information about the individual messages. Specifically, we 
address the problem under two measures of security: 

(51) Perfect secrecy: The received vector is independent of the 
individual messages, i.e., W _LL X and W _LL Y. 

(52) Strong secrecy: The information leaked by W about the 
individual messages must be vanishingly small for large 
n, i.e., lim„_>oo W) = lim 

n—J-oo /(y;W) = o 

The secure bidirectional relaying problem was first studied 
in [4] and subsequently in [5], where the authors gave a 
strongly-secure scheme for the case hi = /i 2 = 1 using 
lattice codes and randomization using universal hash functions. 
This was later studied by [9], who gave a coding scheme 
(also for hi = (12 = 1) for secrecy using nested lattice 
codes and randomization using probability mass functions 
(pmfs) obtained by sampling well-chosen probability density 
functions (pdfs). It was shown that using a pmf obtained by 
sampling the Gaussian density, strong secrecy can be obtained 
(a technique that was first used for the Gaussian wiretap 
channel in [6]). It was also shown in [9] that by choosing a 
density function having a compactly supported characteristic 
function, even perfect secrecy can be achieved. 

In this paper, we extend the results of [9], and make an 
attempt to study the robustness of the schemes presented there. 


W = hiU0h2V0Z. 


In a practical scenario, the user nodes may not know hi and 
/i2 exactly, since there is always an error in estimation of the 
channel gains. In this paper, we assume that the user nodes do 
not know the values of the channel gains hi and /i2- However, 
the relay is assumed to know hi and /12 exactly. We want to 
know if it is still possible to achieve security in this situation. 
We split the analysis into two parts: ( 1 ) the case when /11//12 
is irrational, and ( 2 ) when /11//12 is rational. We will see that 
no lattice-based coding scheme can guarantee secrecy in case 
( 1 ), and find sufficient conditions to guarantee perfect/strong 
security in the latter case. 

If hi/h2 is rational, then we can express hi = hli and 
/i2 = hh for some real number h and co-prime integers li 
and 12 - Therefore, in the first few sections, we will assume 
that the channel gains hi and /12 are co-prime integers, but 
are unknown to both users, and that (fci,fc2) = {hi,h2)- We 
want to ensure that the relay can securely compute kiX(Bk2Y. 
In the specific case of the bidirectional relay problem, we can 
choose G = F™ to ensure that the user nodes can recover 
the desired messages from kiX © k2Y. Note that if G is an 
arbitrary finite Abelian group, then it is not guaranteed that one 
can recover X (resp. Y) given Y (resp. X) and kiX © k2Y. 
The relay also needs to forward /ii,/i2 to the users in the 
broadcast phase to ensure message recovery, since the users 
have no knowledge of the channel gains prior to the broadcast 
phase. 

We will mostly study the noiseless scenario, i.e., the relay 
receives W = hiXJ + /12V, and find conditions under which 
our scheme achieves security. The problem therefore is to 
ensure secure computation of kiX © k2Y from fciU + k2'V. 
We can see that if the order of X divides ki, then kiX © k2Y 
is simply k2Y, and confidentiality of the message Y is lost. 
We will therefore make the assumption that the order of no 
element of G divides ki or ^2. We will also briefly discuss 
achievable rates in presence of Gaussian noise, but without 
any proofs. 

We remark that demanding security in the noiseless scenario 
is a much stronger condition. Since the additive noise Z 
is independent of everything else, X hiXJ + h2'V 
/iiU+ft,2V+Z forms a Markov chain, and hence, I{X; /11U+ 
/12V + Z) < + hfV). Therefore, any scheme 

that achieves perfect/strong secrecy in the noiseless setting 
also continues to achieve the same in presence of noise. 
Furthermore, such a scheme has the added advantage that 
security is achieved irrespective of the distribution on Z, and 
even when this distribution is unknown to the users. 

The paper is organized as follows: The coding scheme 
is described in Section II-A. We discuss perfect secrecy in 
Section III, and Theorem 2 gives sufficient conditions for 
achieving perfect security with integral channel gains. Strong 
secrecy is studied in Section IV, and Theorem 5 gives suf¬ 
ficient conditions for achieving strong secrecy with integral 
channel gains. In Section V, we discuss the case where the 
channel gains are not integral and co-prime, and conclude with 
some final remarks. 


II. Notation and definitions 

We use the notation followed in [ 9 ]. For the basic definitions 
and results related to lattices, see, e.g., [ 2 ], [ 9 ]. Given a lattice 
A, the fundamental Voronoi region is denoted by V(A). The 
Fourier dual lattice of A is defined as A := {x € R" : (x, y) € 
27 rZ Vy G A}. If A and B are subsets of R", then A-{- B := 
{x + y : X G y G B} denotes their Minkowski sum. Also, 
for X G M" and a, & G R, ax + bB := {ax + 6 y : y G B}. 


A. The coding scheme 

A (A, Aq,/) coding scheme is defined by the following 
components: a pair of nested lattices (A, Aq) in R", where 
Aq C a, and a well chosen continuous pdf / over R". We 
assume that hi and /12 are integers, and {ki,k2) = (^17^2)- 

• Lattices: The nested lattices A and Aq are chosen such 
that A/Aq is isomorphic to G. To ensure that the user 
nodes can recover the desired messages from kiX © k2Y, 
we could choose A and Aq to be nested Construction-A 
lattices [ 2 ] over for a prime q. Specifically, we could 
choose a A constructed from an linear code C of length n 
and dimension mi, and Aq from an linear code Cq having 
length n and dimension mg, with Cq C C. If m := mi — 
mo, then there exists a group isomorphism from A/Aq 
to F™ [ 7 ]. Furthermore, one can recover X (resp. Y) 
from kiX © k2Y if Y (resp. X) is known, provided that 
q does not divide hi or /i2- However, we will prove our 
results on secure computation of kiX(Bk2Y for the more 
general case where A and Aq are arbitrary n-dimensional 
nested lattices and G = A/Aq. 

• Messages: The messages are chosen uniformly at random 
from G. Since A/Aq = G, each message can be identified 
by a coset of Aq in A. We also define M := |G|, and the 
rate of the code is i? = i log2 M. 

• Encoding: Given a message/coset x G G, node A trans¬ 
mits a vector u G R" with probability 


FU|a;(u) 


f /(u) 

lo, 


if u G X 
otherwise. 


( 2 ) 


Likewise, B transmits v G y with probability pv|y(v). 
The scheme can satisfy an average power constraint: 
iE||U||2 = iE||V||2<p. 

• Decoding: The relay finds the closest point in A to the 
received vector w, and determines hiX © h2Y to be the 
coset to which this point belongs. 

We are mainly interested in two kinds of pdfs / over R”: 

• Density with a compactly supported characteristic func¬ 
tion for perfect secrecy: Let il) be the characteristic 
function corresponding to /. Let 7 ^(' 0 ) be the support of 
f), i.e., the region where tp is nonzero. We will show that 
for certain values of {hi, h2), if 'R-{'tp) is supported within 
a certain compact subset of R", then perfect secrecy can 
be obtained. 



• The Gaussian density for strong secrecy: For x, w £ K." 
and P > 0 , we define 

3 -x.Vp(-) = ’ 

ff_x,Vp(^) = Ewga 3 -x,Vp(w)- For ease of no¬ 
tation, we will use g^{w) and g^{K) instead of 
9 o 9 o y/pi^) respectively. We will show that 

if Ao satisfies certain properties, then with f = g we 
can obtain strong secrecy. 

We say that a rate R is achievable with perfect (resp. strong) 
secrecy using our scheme if there exist {A,Ao,f) coding 
scheme having rate R such that (SI) (resp. (S 2 )) is satisfied, 
and the probability of error of decoding hiX © h2Y at the 
relay goes to 0 as n —>■ oo. 


III. Perfect secrecy with integral channel gains 
A. The noiseless case 

In this section and the next, we assume that hi and (12 
are co-prime integers, and (^1,^2) = {hi,h2)- A key tool 
in studying the scheme for perfect security is the following 
lemma from [ 9 ], which we reproduce here: 


Lemma 1 (Proposition 5 , [ 9 ]). Let x £ K.". Let f be a pdf over 
M" such that the corresponding characteristic function, ip, is 
compactly supported within V(A). Then, := 

characteristic function of a random vector 
supported within A + x, and having pmf 


p{u) 


vol(V(A))/(u) i/u£A + x 
0 otherwise. 


In other words, if ip is compactly supported within V(A), 
then (p{t) is the characteristic function corresponding to the 
pmf obtained by sampling and normalizing / over A + x. 

Given message (coset) x, user A transmits a random point 
U in the coset x according to distribution pu\x as given by 
( 2 ), and given message y at B, the user transmits V in the 
coset y according to distribution pv|y(Y). The density / from 
which these pmfs are sampled from is compactly supported 
within TZ{ip). The following result gives sufficient conditions 
under which perfect security is achieved. 


Theorem 2 . If the order of no nonzero element of A/Aq 
divides hi or /12, and R-{ip) is contained within the interior of 
then {hiV + (12V) _ 1 L a: and {hiV + (12V) JL Y. 

If A and Aq are Construction-A lattices obtained from linear 
codes over F^, then the order of no nonzero element of A/Aq 
divides hi or (i2 iff q does not divide hi or (12- 

We can choose a characteristic function ip which is sup¬ 
ported within a ball of radius r = Q;rpack(Ao) (a < 1 ), 
where rpack(Ao) denotes the packing radius of Aq. Such 
characteristic functions indeed exist, and the interested reader 
is directed to [ 9 ] for examples. If r < 2rpack(Ao)/(|/li| + |/l2|), 
then we certainly have TZlip) C 2V(Ao)/(|/ii| + |/i2|), which 
guarantees perfect secrecy. Therefore, perfect secrecy can be 
attained for all hi , /12 that have the order of no element of G 


as a divisor, and 2 /{\hi \ + \h2\) > a. An interesting point to 
note at this juncture is that the nested lattice pair does not have 
to satisfy any additional properties in order to obtain perfect 
secrecy. The above result holds for any pair of nested lattices, 
and for any value of the dimension n, unlike most results on 
secrecy which usually require the lattices to satisfy special 
properties and n to be sufficiently large. 

Proof of Theorem 2 : Fix any x,y £ G. We want to 
show that Ph-i_\j+h2'v\x = PAiU-i-iiaV, and Phi\j+h2'v\y = 
PhiU+h^y- We only prove the first statement here, and the 
second can be proved analogously. Let ip be the characteristic 
function corresponding to /, and (phi\]\x be the characteristic 
function of hfU conditioned onX = x. Furthermore, let (ph^u 
and (ph2sr be the characteristic functions of hfU and hfV 
respectively. We will show that (phi\j\x(ph2-v = (phi\j(ph2V- 
Let X be the coset representative of x within V(Ao). Using 
Lemma 1 , we have 

aga AgA 

and 

(ph^lJ\xit) = 

AgAq 

Since Aq C A, we have A C Aq. Using this, and the fact that 
(A, x) £ 27 rZ for A £ A, we can write 

(ph^v\x(t) = (ph^-uit) + ^ ( 3 ) 

agAo\a ^ I 2 


Therefore, (phiij\x{^)(ph2'v{t) = (phiu{t)(ph2v{t) is equiva¬ 
lent to 


agAo\A 



g-i(A.x) ^ 


or 


a'gA 



agAo\A 



i(A,x) 


= 0 . 


It is enough to show that for every Ai £ Aq \ A, A2 £ A, and 
t £ R", Ip (1^) “ Observe that 


Supp 


(iP 


and 


Supp Ip 


Ai +1 

A 2 +1 


7 ^(V') - Ai 
\hi\ ' 

n{ip) - \2 
\h2\ ■ 


We will show that for every Ai £ Aq \ A and A2 £ A, 


Supp iP 


A2 +1 
1 ^ 
or equivalently, 

1 \hl\ 


n ^ 


n 


Ai +1 
\hi\ 


= {}, 


7 ^(V>) - A2 
\h 2 \ 


= {}, 






















where {} denotes the empty set. 

Let us assume the contrary, that there exist ti,t2 in TZ{iIj), 
Ai G Aq \ A and A2 G A such that 
be rewritten as 

\h2\t1 — |ft.l|t2 = |/l2|Al — I/11IA2. ( 4 ) 

Clearly, |/i2|ti —|/ii|t2 lies in {\h2\ + \hi\)TZ{ip), which is con¬ 
tained in the interior of 2 V(Ao). Since |/i2|Ai — |ft.i|A2 G Aq, 
the requirement ( 4 ) can be satisfied only if |ft.2|Ai — |/ii|A2 = 
0 . To complete the proof, we will obtain a contradiction by 
showing that this quantity must in fact be nonzero. To this 
end, we write Ai = A^°^ + a|^^^ where aJ°^ G Aq fl V(A), and 
Aj^^ G A. Therefore, |ft.2|A2^^ —|ft.i|A2 G A. Since Ai G Ao\A, 
we are assured that A^°^ is nonzero. Using the quotient group 
duality property of orthogonal subgroups, it can be shown that 
the quotient group Aq/A is isomorphic to A/Aq [ 3 ]. Now, we 
have assumed that the order of no nonzero element of A/Aq 
divides hi or /12. Therefore, the order of no nonzero element 
of Ao/A divides hi or /i2- Hence, [l/i2|Ai°^] mod A ^ 0 ; 
in particular, this means that |ft.2|A^° G Aq \ A. We can 
therefore say that I/12IA1 — |/ii|A2 G Aq \ A, from which the 
desired contradiction follows. This completes the proof of the 
theorem. □ 

B. Achievable rates in presence of Gaussian noise 

We choose ■!/; to be a characteristic function supported within 
a ball of radius r = arpack(Ao), as discussed in Section III-A. 
For a given Aq, it can be shown that the average transmit 
power can be made no less than ^(1 -|- o(l)), where o(l) —>■ 
0 as n —00. See, e.g., [ 9 ] for more details, and for the 
explicit form of the characteristic function that achieves this 
minimum. The following theorem can be proved analogously 
to [ 9 , Theorem 1 ]. 

Theorem 3 . Let (A, Aq) be a pair of nested lattices such that 
Aq is good for covering, Aq is good for packing, and A is 
good for AWGN channel coding^. Let ip be supported within 
a ball of radius r = arpack(Ao). Then, a rate of ^ log2 — 
log2(2e), is achievable with perfect secrecy as long as no 
nonzero element of A/Aq has order which divides either hi 
or h2, and 2 /{\hi \ + |/i2|) > a. 

IV. Strong secrecy with integral channel gains 
A. The noiseless case 

To obtain strong secrecy, we use the pmf obtained by 
sampling the Gaussian density, i.e., / = in ( 2 ). For 0 > 0 , 
the flatness factor, e\{ 6 ), is defined as [ 6 ] 

eA( 6 ») = max |vol(V(A)) 5x,e(A) - 1 |. 
xev(A) 

This parameter will be used to bound the mutual information 
between the individual messages and W. The following prop¬ 
erties of €A will be useful in the remainder of the paper: 

*For definitions of various goodness properties of lattices, see e.g. [2]. 


Lemma 4 ([ 6 ]). For every z G K" and 6 > 0 , we have 

9^,e(,^) r i-eA(6>) ' 

ge{A) ^ [l + eA(0)’ . 

Furthermore, for every n > 9 and a > 0 , we have CAi&) > 
CAin), and ea\{a 0 ) = eA{ 0 )- 

We will show that if a certain flatness factor of Aq is 
asymptotically vanishing in n, then we can obtain strong 
secrecy. Specifically, 

Theorem 5 . Let e := caq If ^ < l/ 16 e, and 

A/Aq has no nonzero element whose order divides hi or h2, 
then 

I{X-hiG + h2V) < ^ (log, |G| - log2 (^)) • 

In most communication problems, we would like to have 
|G| growing exponentially in the dimension n. In such a 
scenario, it is sufficient to have e = o(l/n) to ensure that 
-f /12V) ^ 0 and I(Y-,hiV + h2V) ^ 0 as 
n ^ 00, and thus guaranteeing strong secrecy. In fact, 
there exist Construction-A lattices for which the flatness 
factor CAoiO) goes to zero exponentially in n for all 9 that 
satisfies vol(V(Ao)) < 27 r 0 ^ [ 6 ] (also called secrecy-good 
lattices). Suppose we choose Aq which is secrecy-good, and 
vol(V(Ao)) < 27 ra^P for some a < 1 . Then, I{X;'W) 
and /(y;W) can be driven to zero exponentially in n for 
all co-prime hi,h2 that satisfy l/{hi -f h,) > c?, thereby 
ensuring strong secrecy. Unlike the scheme of Section III 
which guaranteed perfect secrecy for any pair of nested 
lattices, this scheme requires Aq to be secrecy-good to obtain 
strong security. Before we prove Theorem 5 , we state the 
following technical lemmas. 

Lemma 6 . Let A be a lattice in R", and ki , ^2 be co-prime 
integers. Then, {fciu -f k2'v : u, v G A} = A. 

Proof: Clearly, {fciu -|- fc2V : u,v G A} C A. The 
converse, A C {fciu -|- fe2V : u, v G A} can be proved using 
the fact that 3 m, I G Z such that kim -|- fc2^ = 1 if ^i, ^2 are 
co-prime, and mx, Zx G A for x G A. ■ 

Lemma 7 . Let ki, k2 be co-prime integers, and wi, W2 G R”. 
If W2 — Wi ^ A, then [kiA -\- Wi) fl (fc2A -|- W2) is empty. 
Otherwise, there exists some w' G R” so that {kiA -f wi) fl 
{k2A -f W2) = kik2A + w'. 

Proof: Define w = W2 —wi. We can write (fciA-l-wi)n 
(fc2A-|-W2) = (fciAn (fc2A-t-w)) -t-Wi. If w ^ A, then clearly 
(fciA) n (/C2A -I- w) = {}. 

Now suppose that w G A. We can write w = fciu -|- k2'v 
for some u, v G A. We will prove that (fci A) fl (fc2A -f -w) = 
fcifc2A-|-fciU. Since fc2A-|-w = fc2A-|-fciU, we have kik2A-\- 
kiti C k2A -t- w. Since we also have kik2A -f fciu C kiA, 
we can say that {kik2A -f /ciu) C (fciA) fl {k2A w). To 
complete the proof, we need to show that (fciA)n(fc2A-t-’w) C 
{kik2A -f fciu). 










For every A G (fciA) fl + w) = (fciA) fl + kiu), 
there exist x,y G A so that A = fcix = k2y + A:iu. In other 
words, A — fciu = fci(x — u) = fc2y. Hence, A — A:iu G 
kiA n fc2A. We now claim that since ki and k2 are co-prime 
integers, fciA fl fc2A = kik2A. Clearly, kik2A C kiA fl k2A. 
Let C? be a generator matrix for A. For every x G fci A fl k2A, 
there exist xi,X2 G lA so that x = feiGxi = fc2Gx2. In 
other words, fcixi = ^2X2, which implies that Xi G ^2^", 
and X2 G fciZ" since ki, ^2 are co-prime. Hence, x G kik2A, 
and fciA fl k2A C kik2A. Therefore, A — fciu G kik2A, or 
A G fcifc2A-|-fciU. Hence, (fciA)n(fc2A-|-w) C [kik2A+ki\x). 
This completes the proof. ■ 

Fix any coset (message) x G G. Let W := ft.iU + /12V. 
We define the variational distance between pw and pw|a: to 
be 

V(pw,Pw|x) := X! Ifw(w) -Pw|x(w)|, 

wGA 

and the average variational distance as 

V := ^ V(pw,Pw|a)- 

To prove the theorem, we will find an upper bound on 
the average variational distance, and then bound the mutual 
information using the average variational distance. Recall that 

£ = £Ao (\/^/(^1 + ^2)) ■ 

Lemma 8 . If e < 1 / 2 , and A/Aq has no nonzero element 
whose order divides hi or /12, then for every x G A/Aq, we 
have 

V(pw,Pw|a:) < 16e. 


Proof: Let x and y respectively denote the (unique) coset 
representatives of x and j/ in An V(Ao). We have 

FW|a:.j/(w) = y] F/tiU|a:(uH 2 V|y(w - U). ( 5 ) 

uG/1iAo+/iiX 

The supports of Phi\j\x Ph2'v\y ^iAq + Lix and 
/12A0 + h2y respectively. Hence, P/,iU|x(u)p/j2V|y(w - u) is 
nonzero iff u G (/iiAq + ft-ix) and w — u G (/12A0 + h2y), 
or equivalently, if u G (ft-iAo -I- /iix) n (ft.2Ao — /i2y + w). 
Using Lemma 7 , we have 

{hiAo + hix) n (/12A0 - h2y + w) 

{ /11/12A0-I-W' if w G Ao-I-/iix-f/i2y 
{} otherwise. 

for some w' G M". We can therefore conclude that the support 
of P'w\x,y is Aq + hix + /i2y- Since the order of no nonzero 
element of A/Aq divides /12, we have [/i2y] mod Aq ^ 0 if 
[y] mod Aq f 0 . We are therefore assured that if Ag -fyi and 
Aq + y2 are two distinct cosets of Ag in A, then Ag -b ft.2yi 
and Ag + /i2y2 are also distinct. Therefore, UygAnv(Ao) (Ag + 
/i2y) = A, and hence Uy(Ag -b /iix -b h2y) = A. Thus, we 
can conclude that the support of pw|a: is A. 


Substituting for PhiU\x, Ph2'v\y in ( 5 ) and using this in 
Fw|x(’w) = J 2 yeG l^Pw|x,y, we get 


Pw|£c(w) = 


2hfP 2hiP 


UG/ 1 - 1 / 12 A 0 +W' 


( 7 ) 


where 


^ A7(27r/ii/i2-P)”5_/iix,hivAp(^i^o)5_/i2y,/i2Vp(^2Ao). 

The remainder of the proof follows that of [ 9 , Theorem 18 ], 
and we only give an outline. A simple calculation tells us that 

.2 "- f iiwiG llu I 

_ A 2 P(hf+h^) 2 P(hfhf)\\ h'f+h '2 1 


2hiP 2hiP 


Let h := hih2/s/hf^rh^, and k := i/hf + h\. Using this 
and the above equation in ( 7 ), and simplifying, we get 


Pw|x(w) = e” 


E E 

uG/i-i/ 72 Ao+w^ 
— / 7 ^w//f 2 




Let us define t := w' — [hf /hf)^. The above equation can 
be simplified to 

, •. 1 5 fc\/p(^) 5 -t,/tUp(^i^ 2 Ao) 

FW|x(w) = J7 2^ 


— ygG 5 -/. 2 y.h 2 Vp(^ 2 Ag) 

Using Lemma 4 , we can show that e/n/iaAo 
CAo = e, and also from Lemma 4 , 


1 - e ^ g-t,/tvAp(^ife 2 Ao) ^ ^ 

l + e~ 5 h\/p(^i^ 2 Ao) “ 


Similarly, 


1 - eAo(/P) ^ g-/iix,/»iVp(^Ao) ^ ^ 
l + eAo(^) ~ 5hiUp(^i^o) “ 


Since y/h 1 + h2 > 1 , we have e/^g{s/P) < e. Using this, and 
the fact that (1 — x)/(l -b x) is a decreasing function of x, we 
have 

1 - e ^ g-ttix,/iivAp(^Ao) ^ ^ 


Let us define 


ghiUp(^i^o) 
gfcVp(^) ghy/p(^i^ 2 Ao) 


= - \ 

^ ^ gAivAp(^Ao) g-A2y,A2Up(^2Ao) ’ 

which is a function independent of x. We can therefore say 
that ^ ^ 

Y^p(w) <pw|a;(w) < Y^p(w). ( 8 ) 

Since p(w) does not depend on x, we can use the above to 
bound pw(w) = ig X]a:Fw|a;(w) in the same manner, and 
obtain EwgA bw|a:(w) -pw(w)| < Using the fact 

that e < 1 / 2 , we get V(pw,Pw|a:) < 16 e, thus completing 
the proof. ■ 

We now have all the necessary tools to prove Theorem 5 . 




























Proof of Theorem 5: If e < 1 / 2 , we have V(pw,Pw|x) ^ 
16 e from Lemma 8 . Since this is true for every x € An V(Ao), 
we also have V < 16 e. We can then use [Lemma 1 , [ 1 ]], which 
says that if |G| > 4, then I{W-X) < V(log2 |G| - log2 V). 

Since —a; log a; is an increasing function of x for a: < 1 /e, 
we can use the upper bound of 16 e for V if e < l/ 16 e. This 
completes the proof of the theorem. □ 

B. Achievable rates in presence of Gaussian noise 

As remarked in the previous section, we choose Aq so that 
the flatness factor eA(,(av/P) goes to zero exponentially in 
n, for some a < 1 . The following statement can be proved 
analogously to [ 9 , Theorem 16 ]: 

Theorem 9 . //Aq is good for MSE quantization and secrecy- 
good, and A is good for AWGN channel coding, then the 
average transmit power converges to P, and any rate less than 
1 log2 ^ log2 e can be achieved with strong secrecy as 

long as the order of no nonzero element of A/Aq divides hi 
or h2, and ^/{h\ + h\) > a?. 

V. Discussion 

So far, we studied the case where hi and /12 were co¬ 
prime integers. This can easily be extended to the general 
case where hi/h2 is rational. We can express hi = hki and 
/i2 = hk2 for some ft, € K and co-prime integers ki and k2. 
Then, it is easy to show that perfectly (resp. strongly) secure 
computation of ftiAT © ^2^^ can be performed at the relay as 
long as the order of no nonzero element of A/Aq divides ki or 
^2, and 2 /(|/ci| + |/c2|) > ct (resp. l/{kf-\-k2) > a^). Further¬ 
more, the achievable rate is given by ^ log2 ^ f2^ — log2(2e) 
(resp. i log2 i log2 e). 

A. Irrational channel gains 

We now make the observation that if hi and ft2 are nonzero 
and fti/ft2 is irrational, then the relay can uniquely recover 
the individual messages if the channel is noiseless. 

Proposition 10 . Suppose that hi, h2 are nonzero, and fti/ft2 
is irrational. Let A be a full-rank lattice in R". Then, for every 
u, V £ A, w = ftiu + ft2V uniquely determines (u, v). 

Proof: Consider any Ui, U2, vi, V2 £ A that satisfy 
ftiUi + ft2Vi = ftiU2 + ft2V2. If A is a (full-rank) generator 
matrix of A, then we can write Ui = A^Ui, U2 = A^U2, 
vi = A^vi, and V2 = A^V2, where Ui, U2, Vi, and V2 belong 
to IP. Therefore, fti(ui — U2) = ft2(v2 — vi). For j = 1 , 2 , 
and 1 < * < n, let Uj[i) and Vj{i) denote the Ah components 
of Uj and Vj respectively. Now suppose that Ui 7^ U2. Then, 
there exists some 1 < i < n such that ui(i) f £( 2 ( 1 ). 
Rearranging fti(ui(£) - U2{i)) = h2{v2{i) - 'Ci(*)). we get 
^ . However, the right hand side is clearly a 

rational number, which contradicts our hypothesis of fti/ft2 
being irrational. Therefore, Ui = U2. Similarly, Vi = V2. ■ 

For our lattice-based scheme to achieve perfect/strong se¬ 
crecy it is therefore necessary that fti/ft2 be rational, in which 
case we can write hi = hki and ft2 = hk2 for some 


ft £ R and co-prime integers ki and k2. In addition to this, 
no element of A/Aq can have its order dividing ki or k2 if 
we want to achieve security. While we have seen that the 
second requirement is sufficient to guarantee perfect/strong 
secrecy, we also claim that it is also a necessary condition 
for perfect secrecy. To see why this is the case, recall that we 
want Pk^u+k^vix = PfciU+fe2V for all x £ A/Aq. For this, the 
supports of the two pmfs must be the same. While the support 
of PfeiU-rfcsVix is fciAo + ft2A + fcix, the support of pfcjU+fcsV 
is kiA + k2A = A (since gcd(fci,fc2) = !)■ We can write 
fciAo + ft2A+fcix = UygAnv(Ao)(fciAo + fc2Ao + ftix+fc2y) = 
UygAnv(Ao)(^o + kix + k2y). If the order of some element 
of A/Aq divides k2, then we can argue using the pigeon hole 
principle that UygAnv(Ao) (^0 + + k2y) 7^ A, and hence, 

perfect secrecy is not obtained. This justifies our claim. 

The requirement of fti/ft2 being rational to obtain security 
may appear discouraging for a practical scenario, where the 
channel gains are almost surely irrational. However, we must 
note that we have used a rather pessimistic model for the 
system. In practice, the user nodes do have a rough estimate of 
the channel gains, and the channel is noisy. While it may not be 
possible to achieve perfect security even in presence of noise 
when the channel gains are irrational unknown to the user 
nodes, we may hope to achieve strong secrecy. We observed 
that if we proceed along the lines of Lemma 8, strong secrecy 


can be achieved if the flatness factors caq = 

o(l/n) for * = 1 , 2 . To achieve this, we could use a secrecy- 

Pc7^ 

good lattice scaled so that vol(V(Ao)) < for 

i = 1 , 2 . However, it turns out that this is in conflict with 

the requirement of reliable decoding of X and Y, for which 
we need vol(V(A)) to be greater than 27 re ■ H^nce, 

it seems that a different approach is required to tackle this 
problem. 

Before concluding the paper, we make a final remark. 
Although the scheme presented in Section II-A may not be 
optimal if the channel gains are not known exactly at the 
user nodes, we demonstrate that there is a scheme with which 
security can be obtained in such a scenario. 


B. Co-operative jamming: Security using Gaussian jamming 
signals 

We can use the following four-stage amplify-and-forward 
bidirectional relaying strategy: In the first phase, user A 
transmits its codeword Ui, which is jammed by a Gaussian 
random vector Vi generated by B. The relay simply scales 
the received vector and sends it to B, who knows V1 and can 
recover Ui. The channel from A to B can be modeled as a 
Gaussian wiretap channel, where R acts as the eavesdropper. 
Using a wiretap code [6] for U, we can achieve strong secrecy. 
User B similarly uses a wiretap code to transmit its message 
to user A via R in the third and fourth phases. 

A reasonable assumption to make is that the error in the 
estimation of hi and ft2 at both user nodes is at most 6. To 
keep things simple, let us assume that R simply forwards the 
received signal to the users without scaling. At the end of the 









second phase, B receives /iiUi + /12V1 + Z, where Z = Zi + 
Z2 is the sum of the noise vectors accumulated in the first two 
phases, and has variance af + cr^. Suppose that the estimates 
of hi, /i2 made by B are h'l and h'2 respectively. Due to the 
error in estimation, there would be a residual component of V 
remaining even after the jamming signal has been removed. 
Therefore, B “sees” an effective channel of h[Ui + ZB, where 
the effective noise is Zs = {hi — + (/12 — h^yVi + Z. 

On the other hand, R “sees” the effective channel /iiUi + 
Z', where Z' = Zi + /12V1. It can be shown that [6] using 
the lattice Gaussian distribution for randomization, i.e., P\j^\x 

given by (2) with / = g^, a rate of \ log2 (l + “ 

I log2 ^ \ log2 e can be achieved by A with 

strong secrecy. In fact, the rate can be slightly improved by 
using a modulo-and-forward scheme [10] instead of the simple 
amplify-and-forward scheme for relaying. 
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